Polymarket Security / Ops Team I'm posting this here because nobody is responding to me at all. This morning I was targeted and compromised by a highly sophisticated AiTM (Adversary-in-the-Middle) phishing campaign that originated from a malicious link dropped in the live market comment section. I ended up taking a significant loss, but I have mapped the entire exploit funnel and want to hand the forensic data. Here is the exact sequence the threat actor used: They posted a comment regarding "disappearing liquidity" in a market I was actively trading, linking to what appeared to be a legitimate news source: feedreuters.com. That domain hosted a fake article titled "Polymarket US Opens the Gates to Everyone | Reuters", which contained a link to check the market. The link routed to an active reverse-proxy infrastructure at polymarket.usmarketsupdate.com. This proxy perfectly mirrored the Magic Labs login flow, intercepted my session token, and immediately liquidated my position. The primary collection wallet the attacker used is G55RKasUnddqB2J9rRVbyvGcP7fMjw17CpmbnB3uiXWS. It is currently sitting on over $1.7 Million USD (21,700+ SOL), indicating this is a highly capitalized threat actor targeting the community.
Polymarket Security / Ops Team I'm posting this here because nobody is responding to me at all. This morning I was targeted and compromised by a highly sophisticated AiTM (Adversary-in-the-Middle) phishing campaign that originated from a malicious link dropped in the live market comment section. I ended up taking a significant loss, but I have mapped the entire exploit funnel and want to hand the forensic data. Here is the exact sequence the threat actor used: They posted a comment regarding "disappearing liquidity" in a market I was actively trading, linking to what appeared to be a legitimate news source: feedreuters.com. That domain hosted a fake article titled "Polymarket US Opens the Gates to Everyone | Reuters", which contained a link to check the market. The link routed to an active reverse-proxy infrastructure at polymarket.usmarketsupdate.com. This proxy perfectly mirrored the Magic Labs login flow, intercepted my session token, and immediately liquidated my position. The primary collection wallet the attacker used is G55RKasUnddqB2J9rRVbyvGcP7fMjw17CpmbnB3uiXWS. It is currently sitting on over $1.7 Million USD (21,700+ SOL), indicating this is a highly capitalized threat actor targeting the community.